Merge branch 'ent-6354-Bug-de-creacion-de-dashboard-con-permisos-no-ALL' into 'develop'

Ent 6354 bug de creacion de dashboard con permisos no all See merge request artica/pandorafms!3780
2021-01-25 10:02:41 +01:00 · 2021-01-25 10:02:41 +01:00 · 7a614fcf48
parent 4d81396956 731d486455
commit 7a614fcf48
39 changed files with 580 additions and 129 deletions
--- a/pandora_console/godmode/agentes/planned_downtime.editor.php
+++ b/pandora_console/godmode/agentes/planned_downtime.editor.php
@ -143,16 +143,29 @@ $user_groups_ad = array_keys(
    users_get_groups($config['id_user'], $access)
 );

+// Check AD permission on downtime.
+$downtime_group = db_get_value(
+    'id_group',
+    'tplanned_downtime',
+    'id',
+    $id_downtime
+);
+
+if ($id_downtime > 0) {
+    if (!check_acl_restricted_all($config['id_user'], $downtime_group, 'AW')
+        && !check_acl_restricted_all($config['id_user'], $downtime_group, 'AD')
+    ) {
+        db_pandora_audit(
+            'ACL Violation',
+            'Trying to access downtime scheduler'
+        );
+        include 'general/noaccess.php';
+        return;
+    }
+}
+
 // INSERT A NEW DOWNTIME_AGENT ASSOCIATION.
 if ($insert_downtime_agent === 1) {
-    // Check AD permission on downtime.
-    $downtime_group = db_get_value(
-        'id_group',
-        'tplanned_downtime',
-        'id',
-        $id_downtime
-    );
-
    if ($downtime_group === false
        || !in_array($downtime_group, $user_groups_ad)
    ) {
@ -644,11 +657,20 @@ $table->data[0][1] = html_print_input_text(
    true,
    $disabled_in_execution
 );
+
+$return_all_group = false;
+
+if (users_can_manage_group_all('AW') === true
+    || users_can_manage_group_all('AD') === true
+) {
+    $return_all_group = true;
+}
+
 $table->data[1][0] = __('Group');
 $table->data[1][1] = '<div class="w250px">'.html_print_select_groups(
    false,
    $access,
-    true,
+    $return_all_group,
    'id_group',
    $id_group,
    '',
--- a/pandora_console/godmode/agentes/planned_downtime.list.php
+++ b/pandora_console/godmode/agentes/planned_downtime.list.php
@ -476,22 +476,42 @@ else {
        if (in_array($downtime['id_group'], $groupsAD)) {
            // Stop button
            if ($downtime['type_execution'] == 'once' && $downtime['executed'] == 1) {
-                $data['stop'] = '<a href="index.php?sec=extensions&sec2=godmode/agentes/planned_downtime.list'.'&stop_downtime=1&id_downtime='.$downtime['id'].'&'.$filter_params_str.'">'.html_print_image('images/cancel.png', true, ['title' => __('Stop downtime')]);
+                if (check_acl_restricted_all($config['id_user'], $downtime['id_group'], 'AW')
+                    || check_acl_restricted_all($config['id_user'], $downtime['id_group'], 'AD')
+                ) {
+                    $data['stop'] = '<a href="index.php?sec=extensions&sec2=godmode/agentes/planned_downtime.list'.'&stop_downtime=1&id_downtime='.$downtime['id'].'&'.$filter_params_str.'">'.html_print_image('images/cancel.png', true, ['title' => __('Stop downtime')]);
+                } else {
+                    $data['stop'] = html_print_image('images/cancel.png', true, ['title' => __('Stop downtime')]);
+                }
            } else {
                $data['stop'] = '';
            }

            // Edit & delete buttons.
            if ($downtime['executed'] == 0) {
-                // Edit.
-                $data['edit'] = '<a href="index.php?sec=extensions&sec2=godmode/agentes/planned_downtime.editor&edit_downtime=1&id_downtime='.$downtime['id'].'">'.html_print_image('images/config.png', true, ['title' => __('Update')]).'</a>';
-                // Delete.
-                $data['delete'] = '<a id="delete_downtime" href="index.php?sec=extensions&sec2=godmode/agentes/planned_downtime.list'.'&delete_downtime=1&id_downtime='.$downtime['id'].'&'.$filter_params_str.'">'.html_print_image('images/cross.png', true, ['title' => __('Delete')]);
+                if (check_acl_restricted_all($config['id_user'], $downtime['id_group'], 'AW')
+                    || check_acl_restricted_all($config['id_user'], $downtime['id_group'], 'AD')
+                ) {
+                    // Edit.
+                    $data['edit'] = '<a href="index.php?sec=extensions&sec2=godmode/agentes/planned_downtime.editor&edit_downtime=1&id_downtime='.$downtime['id'].'">'.html_print_image('images/config.png', true, ['title' => __('Update')]).'</a>';
+                    // Delete.
+                    $data['delete'] = '<a id="delete_downtime" href="index.php?sec=extensions&sec2=godmode/agentes/planned_downtime.list'.'&delete_downtime=1&id_downtime='.$downtime['id'].'&'.$filter_params_str.'">'.html_print_image('images/cross.png', true, ['title' => __('Delete')]);
+                } else {
+                    $data['edit'] = '';
+                    $data['delete'] = '';
+                }
            } else if ($downtime['executed'] == 1 && $downtime['type_execution'] == 'once') {
-                // Edit.
-                $data['edit'] = '<a href="index.php?sec=extensions&sec2=godmode/agentes/planned_downtime.editor&edit_downtime=1&id_downtime='.$downtime['id'].'">'.html_print_image('images/config.png', true, ['title' => __('Update')]).'</a>';
-                // Delete.
-                $data['delete'] = __('N/A');
+                if (check_acl_restricted_all($config['id_user'], $downtime['id_group'], 'AW')
+                    || check_acl_restricted_all($config['id_user'], $downtime['id_group'], 'AD')
+                ) {
+                    // Edit.
+                    $data['edit'] = '<a href="index.php?sec=extensions&sec2=godmode/agentes/planned_downtime.editor&edit_downtime=1&id_downtime='.$downtime['id'].'">'.html_print_image('images/config.png', true, ['title' => __('Update')]).'</a>';
+                    // Delete.
+                    $data['delete'] = __('N/A');
+                } else {
+                    $data['edit'] = '';
+                    $data['delete'] = '';
+                }
            } else {
                $data['edit'] = '';
                $data['delete'] = '';
--- a/pandora_console/godmode/alerts/alert_actions.php
+++ b/pandora_console/godmode/alerts/alert_actions.php
@ -77,6 +77,15 @@ if ($copy_action) {

    $al_action = alerts_get_alert_action($id);

+    if (!check_acl_restricted_all($config['id_user'], $al_action['id_group'], 'LM')) {
+        db_pandora_audit(
+            'ACL Violation',
+            'Trying to access Alert Management'
+        );
+        include 'general/noaccess.php';
+        exit;
+    }
+
    if ($al_action !== false) {
        // If user tries to copy an action with group=ALL.
        if ($al_action['id_group'] == 0) {
@ -144,6 +153,15 @@ if ($delete_action) {

    $al_action = alerts_get_alert_action($id);

+    if (!check_acl_restricted_all($config['id_user'], $al_action['id_group'], 'LM')) {
+        db_pandora_audit(
+            'ACL Violation',
+            'Trying to access Alert Management'
+        );
+        include 'general/noaccess.php';
+        exit;
+    }
+
    if ($al_action !== false) {
        // If user tries to delete an action with group=ALL.
        if ($al_action['id_group'] == 0) {
@ -236,11 +254,18 @@ $table_filter->data[0][1] = html_print_input_text(
    255,
    true
 );
+
+$return_all_group = false;
+
+if (users_can_manage_group_all('LM') === true) {
+    $return_all_group = true;
+}
+
 $table_filter->data[0][2] = __('Group');
 $table_filter->data[0][3] = html_print_select_groups(
    $config['id_user'],
    'LM',
-    true,
+    $return_all_group,
    'group_search',
    $group_search,
    '',
@ -370,7 +395,12 @@ foreach ($actions as $action) {

    $data = [];

-    $data[0] = '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_action&id='.$action['id'].'&pure='.$pure.'">'.$action['name'].'</a>';
+    if (check_acl_restricted_all($config['id_user'], $action['id_group'], 'LM')) {
+        $data[0] = '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_action&id='.$action['id'].'&pure='.$pure.'">'.$action['name'].'</a>';
+    } else {
+        $data[0] = $action['name'];
+    }
+
    $data[1] = $action['command_name'];
    $data[2] = ui_print_group_icon($action['id_group'], true).'&nbsp;';
    if (!alerts_validate_command_to_action($action['id_group'], $action['command_group'])) {
@ -384,8 +414,11 @@ foreach ($actions as $action) {
        );
    }

+    $data[3] = '';
+    $data[4] = '';
+
    if (is_central_policies_on_node() === false
-        && check_acl($config['id_user'], $action['id_group'], 'LM')
+        && check_acl_restricted_all($config['id_user'], $action['id_group'], 'LM')
    ) {
        $table->cellclass[] = [
            3 => 'action_buttons',
--- a/pandora_console/godmode/alerts/alert_commands.php
+++ b/pandora_console/godmode/alerts/alert_commands.php
@ -556,7 +556,9 @@ foreach ($commands as $command) {
    $data = [];

    $data['name'] = '<span style="font-size: 7.5pt">';
-    if (! $command['internal']) {
+
+    // (IMPORTANT, DO NOT CHANGE!) only users with permissions over "All" group have access to edition of commands belonging to "All" group.
+    if (!$command['internal'] && check_acl_restricted_all($config['id_user'], $command['id_group'], 'LM')) {
        $data['name'] .= '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_command&id='.$command['id'].'&pure='.$pure.'">'.$command['name'].'</a>';
    } else {
        $data['name'] .= $command['name'];
@ -580,7 +582,9 @@ foreach ($commands as $command) {
    );
    $data['action'] = '';
    $table->cellclass[]['action'] = 'action_buttons';
-    if ($is_central_policies_on_node === false && !$command['internal']) {
+
+    // (IMPORTANT, DO NOT CHANGE!) only users with permissions over "All" group have access to edition of commands belonging to "All" group.
+    if ($is_central_policies_on_node === false && !$command['internal'] && check_acl_restricted_all($config['id_user'], $command['id_group'], 'LM')) {
        $data['action'] = '<span style="display: inline-flex">';
        $data['action'] .= '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/alert_commands&amp;copy_command=1&id='.$command['id'].'&pure='.$pure.'"
 			onClick="if (!confirm(\''.__('Are you sure?').'\')) return false;">'.html_print_image('images/copy.png', true).'</a>';
--- a/pandora_console/godmode/alerts/alert_templates.php
+++ b/pandora_console/godmode/alerts/alert_templates.php
@ -401,13 +401,17 @@ foreach ($templates as $template) {

    $data = [];

-    $data[0] = '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_template&id='.$template['id'].'&pure='.$pure.'">'.$template['name'].'</a>';
+    if (check_acl_restricted_all($config['id_user'], $template['id_group'], 'LM')) {
+        $data[0] = '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_template&id='.$template['id'].'&pure='.$pure.'">'.$template['name'].'</a>';
+    } else {
+        $data[0] = $template['name'];
+    }

    $data[1] = ui_print_group_icon($template['id_group'], true);
    $data[3] = alerts_get_alert_templates_type_name($template['type']);

    if (is_central_policies_on_node() === false
-        && check_acl($config['id_user'], $template['id_group'], 'LM')
+        && check_acl_restricted_all($config['id_user'], $template['id_group'], 'LM')
    ) {
        $table->cellclass[][4] = 'action_buttons';
        $data[4] = '<form method="post" action="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_template&pure='.$pure.'" style="display: inline; float: left">';
--- a/pandora_console/godmode/alerts/configure_alert_action.php
+++ b/pandora_console/godmode/alerts/configure_alert_action.php
@ -101,6 +101,15 @@ if ($id) {

    $group = $action['id_group'];
    $action_threshold = $action['action_threshold'];
+
+    if (!check_acl_restricted_all($config['id_user'], $action['id_group'], 'LM')) {
+        db_pandora_audit(
+            'ACL Violation',
+            'Trying to access Alert Management'
+        );
+        include 'general/noaccess.php';
+        exit;
+    }
 }

 // Hidden div with help hint to fill with javascript.
@ -168,10 +177,16 @@ $table->data[1][0] = __('Group');

 $own_info = get_user_info($config['id_user']);

+$return_all_group = false;
+
+if (users_can_manage_group_all('LW') === true) {
+    $return_all_group = true;
+}
+
 $table->data[1][1] = '<div class="w250px inline">'.html_print_select_groups(
    false,
    'LW',
-    true,
+    $return_all_group,
    'group',
    $group,
    '',
--- a/pandora_console/godmode/alerts/configure_alert_command.php
+++ b/pandora_console/godmode/alerts/configure_alert_command.php
@ -48,15 +48,18 @@ if (is_metaconsole() === true) {
    );
 }

-
-if ($update_command) {
-    $id = (int) get_parameter('id');
+if ($id > 0) {
    $alert = alerts_get_alert_command($id);
-    if ($alert['internal']) {
+
+    if ($alert['internal'] || !check_acl_restricted_all($config['id_user'], $alert['id_group'], 'LM')) {
        db_pandora_audit('ACL Violation', 'Trying to access Alert Management');
        include 'general/noaccess.php';
        exit;
    }
+}
+
+if ($update_command) {
+    $alert = alerts_get_alert_command($id);

    $name = (string) get_parameter('name');
    $command = (string) get_parameter('command');
@ -216,12 +219,18 @@ $table->data['command'][1] = html_print_textarea(
    $is_central_policies_on_node
 );

+$return_all_group = false;
+
+if (users_can_manage_group_all('LM') === true) {
+    $return_all_group = true;
+}
+
 $table->colspan['group'][1] = 3;
 $table->data['group'][0] = __('Group');
 $table->data['group'][1] = '<div class="w250px inline">'.html_print_select_groups(
    false,
    'LM',
-    true,
+    $return_all_group,
    'id_group',
    $id_group,
    false,
--- a/pandora_console/godmode/alerts/configure_alert_template.php
+++ b/pandora_console/godmode/alerts/configure_alert_template.php
@ -55,6 +55,15 @@ if (defined('METACONSOLE')) {
 if ($a_template !== false) {
    // If user tries to duplicate/edit a template with group=ALL
    if ($a_template['id_group'] == 0) {
+        if (users_can_manage_group_all('LM') === false) {
+                db_pandora_audit(
+                    'ACL Violation',
+                    'Trying to access Alert Management'
+                );
+            include 'general/noaccess.php';
+            exit;
+        }
+
        // Header
        if (defined('METACONSOLE')) {
            alerts_meta_print_header();
@ -1091,18 +1100,18 @@ if ($step == 2) {
    $table->data[0][1] .= '&nbsp;&nbsp;'.__('Group');
    $groups = users_get_groups();
    $own_info = get_user_info($config['id_user']);
-    // Only display group "All" if user is administrator or has "PM" privileges.
-    if ($own_info['is_admin'] || check_acl($config['id_user'], 0, 'PM')) {
-        $display_all_group = true;
-    } else {
-        $display_all_group = false;
+
+    $return_all_group = false;
+
+    if (users_can_manage_group_all('LM') === true) {
+        $return_all_group = true;
    }

    $table->data[0][1] .= '&nbsp;';
    $table->data[0][1] .= '<div class="w250px inline">'.html_print_select_groups(
        false,
        'AR',
-        $display_all_group,
+        $return_all_group,
        'id_group',
        $id_group,
        '',
--- a/pandora_console/godmode/events/event_edit_filter.php
+++ b/pandora_console/godmode/events/event_edit_filter.php
@ -40,7 +40,15 @@ $strict_user = db_get_value(
 );

 if ($id) {
-    $permission = events_check_event_filter_group($id);
+    $restrict_all_group = false;
+
+    if (!users_can_manage_group_all('EW') === true
+        && !users_can_manage_group_all('EM') === true
+    ) {
+        $restrict_all_group = true;
+    }
+
+    $permission = events_check_event_filter_group($id, $restrict_all_group);
    if (!$permission) {
        // User doesn't have permissions to see this filter
        include 'general/noaccess.php';
@ -276,12 +284,18 @@ $table->data[1][1] = '<div class="w250px">'.html_print_select_groups(
    $strict_user
 ).'</div>';

+$return_all_group = false;
+
+if (users_can_manage_group_all('AR') === true) {
+    $return_all_group = true;
+}
+
 $table->data[2][0] = '<b>'.__('Group').'</b>';
 $display_all_group = (users_is_admin() || users_can_manage_group_all('AR'));
 $table->data[2][1] = '<div class="w250px">'.html_print_select_groups(
    $config['id_user'],
    'AR',
-    $display_all_group,
+    $return_all_group,
    'id_group',
    $id_group,
    '',
--- a/pandora_console/godmode/events/event_filter.php
+++ b/pandora_console/godmode/events/event_filter.php
@ -35,6 +35,19 @@ $multiple_delete = (bool) get_parameter('multiple_delete', 0);
 if ($delete) {
    $id = (int) get_parameter('id');

+    $filter_group = (int) db_get_value('id_group', 'tevent_filter', 'id_filter', $id);
+
+    if (!check_acl_restricted_all($config['id_user'], $filter_group, 'EW')
+        && !check_acl_restricted_all($config['id_user'], $filter_group, 'EM')
+    ) {
+        db_pandora_audit(
+            'ACL Violation',
+            'Trying to access events filter editor'
+        );
+        include 'general/noaccess.php';
+        return;
+    }
+
    $id_filter = db_get_value('id_filter', 'tevent_filter', 'id_filter', $id);

    if ($id_filter === false) {
@ -151,13 +164,27 @@ foreach ($filters as $filter) {
    $data = [];

    $data[0] = html_print_checkbox_extended('delete_multiple[]', $filter['id_filter'], false, false, '', 'class="check_delete"', true);
-    $data[1] = '<a href="index.php?sec=geventos&sec2=godmode/events/events&section=edit_filter&id='.$filter['id_filter'].'&pure='.$config['pure'].'">'.$filter['id_name'].'</a>';
+
+    if (!check_acl_restricted_all($config['id_user'], $filter['id_group'], 'EW')
+        && !check_acl_restricted_all($config['id_user'], $filter['id_group'], 'EM')
+    ) {
+        $data[1] = $filter['id_name'];
+    } else {
+        $data[1] = '<a href="index.php?sec=geventos&sec2=godmode/events/events&section=edit_filter&id='.$filter['id_filter'].'&pure='.$config['pure'].'">'.$filter['id_name'].'</a>';
+    }
+
    $data[2] = ui_print_group_icon($filter['id_group_filter'], true);
    $data[3] = events_get_event_types($filter['event_type']);
    $data[4] = events_get_status($filter['status']);
    $data[5] = events_get_severity_types($filter['severity']);
-    $table->cellclass[][6] = 'action_buttons';
-    $data[6] = "<a onclick='if(confirm(\"".__('Are you sure?')."\")) return true; else return false;'href='index.php?sec=geventos&sec2=godmode/events/events&section=filter&delete=1&id=".$filter['id_filter'].'&offset=0&pure='.$config['pure']."'>".html_print_image('images/cross.png', true, ['title' => __('Delete')]).'</a>';
+    $data[6] = '';
+
+    if (check_acl_restricted_all($config['id_user'], $filter['id_group'], 'EW')
+        || check_acl_restricted_all($config['id_user'], $filter['id_group'], 'EM')
+    ) {
+        $table->cellclass[][6] = 'action_buttons';
+        $data[6] = "<a onclick='if(confirm(\"".__('Are you sure?')."\")) return true; else return false;'href='index.php?sec=geventos&sec2=godmode/events/events&section=filter&delete=1&id=".$filter['id_filter'].'&offset=0&pure='.$config['pure']."'>".html_print_image('images/cross.png', true, ['title' => __('Delete')]).'</a>';
+    }

    array_push($table->data, $data);
 }
--- a/pandora_console/godmode/events/event_responses.editor.php
+++ b/pandora_console/godmode/events/event_responses.editor.php
@ -39,6 +39,16 @@ $event_response_id = get_parameter('id_response', 0);

 if ($event_response_id > 0) {
    $event_response = db_get_row('tevent_response', 'id', $event_response_id);
+
+    // ACL check for event response edition.
+    if (!check_acl_restricted_all($config['id_user'], $event_response['id_group'], 'PM')) {
+        db_pandora_audit(
+            'ACL Violation',
+            'Trying to access Group Management'
+        );
+        include 'general/noaccess.php';
+        return;
+    }
 } else {
    $event_response = [];
    $event_response['name'] = '';
@ -84,8 +94,14 @@ $data[1] = html_print_input_text(
 );
 $data[1] .= html_print_input_hidden('id_response', $event_response['id'], true);

+$return_all_group = false;
+
+if (users_can_manage_group_all('PM') === true) {
+    $return_all_group = true;
+}
+
 $data[2] = __('Group');
-$data[3] = html_print_select_groups(false, 'PM', true, 'id_group', $event_response['id_group'], '', '', '', true);
+$data[3] = html_print_select_groups(false, 'PM', $return_all_group, 'id_group', $event_response['id_group'], '', '', '', true);
 $table->data[0] = $data;

 $data = [];
--- a/pandora_console/godmode/events/event_responses.list.php
+++ b/pandora_console/godmode/events/event_responses.list.php
@ -55,6 +55,10 @@ $table->head[3] = __('Actions');
 $table->data = [];

 foreach ($event_responses as $response) {
+    if (!check_acl_restricted_all($config['id_user'], $response['id_group'], 'PM')) {
+        continue;
+    }
+
    $data = [];
    $data[0] = '<a href="index.php?sec=geventos&sec2=godmode/events/events&section=responses&mode=editor&id_response='.$response['id'].'&amp;pure='.$config['pure'].'">'.$response['name'].'</a>';
    $data[1] = $response['description'];
--- a/pandora_console/godmode/gis_maps/configure_gis_map.php
+++ b/pandora_console/godmode/gis_maps/configure_gis_map.php
@ -30,6 +30,14 @@ require_once 'include/functions_gis.php';
 $idMap = (int) get_parameter('map_id', 0);
 $action = get_parameter('action', 'new_map');

+$gis_map_group = db_get_value('group_id', 'tgis_map', 'id_tgis_map', $idMap);
+
+if ($idMap > 0 && !check_acl_restricted_all($config['id_user'], $gis_map_group, 'MW') && !check_acl_restricted_all($config['id_user'], $gis_map_group, 'MW')) {
+    db_pandora_audit('ACL Violation', 'Trying to access map builder');
+    include 'general/noaccess.php';
+    return;
+}
+
 $sec2 = get_parameter_get('sec2');
 $sec2 = safe_url_extraclean($sec2);

@ -453,14 +461,15 @@ $table->data[1][1] = "<table style='padding:0px;' class='no-class' border='0' id
 	</tr> ".gis_add_conection_maps_in_form($map_connection_list).'
 </table>';
 $own_info = get_user_info($config['id_user']);
-if ($own_info['is_admin'] || check_acl($config['id_user'], 0, 'MM')) {
-    $display_all_group = true;
-} else {
-    $display_all_group = false;
+
+$return_all_group = false;
+
+if (users_can_manage_group_all('MM') === true) {
+    $return_all_group = true;
 }

 $table->data[2][0] = __('Group');
-$table->data[2][1] = html_print_select_groups(false, 'IW', $display_all_group, 'map_group_id', $map_group_id, '', '', '', true);
+$table->data[2][1] = html_print_select_groups(false, 'IW', $return_all_group, 'map_group_id', $map_group_id, '', '', '', true);

 $table->data[3][0] = __('Default zoom');
 $table->data[3][1] = html_print_input_text('map_zoom_level', $map_zoom_level, '', 2, 4, true).html_print_input_hidden('map_levels_zoom', $map_levels_zoom, true);
--- a/pandora_console/godmode/netflow/nf_edit.php
+++ b/pandora_console/godmode/netflow/nf_edit.php
@ -68,6 +68,19 @@ $multiple_delete = (bool) get_parameter('multiple_delete', 0);
 $id = (int) get_parameter('id');
 $name = (string) get_parameter('name');

+if ($id > 0) {
+    $filter_group = db_get_value('id_group', 'tnetflow_filter', 'id_sg', $id);
+
+    if (!check_acl_restricted_all($config['id_user'], $filter_group, 'AW')) {
+        db_pandora_audit(
+            'ACL Violation',
+            'Trying to access events filter editor'
+        );
+        include 'general/noaccess.php';
+        return;
+    }
+}
+
 if ($delete) {
    $id_filter = db_get_value('id_name', 'tnetflow_filter', 'id_sg', $id);
    $result = db_process_sql_delete(
@ -164,12 +177,24 @@ $total_filters = $total_filters[0]['total'];
 foreach ($filters as $filter) {
    $data = [];

-    $data[0] = html_print_checkbox_extended('delete_multiple[]', $filter['id_sg'], false, false, '', 'class="check_delete"', true);
-    $data[1] = '<a href="'.$config['homeurl'].'index.php?sec=netf&sec2=godmode/netflow/nf_edit_form&id='.$filter['id_sg'].'&pure='.$pure.'">'.$filter['id_name'].'</a>';
+    $data[0] = '';
+
+    if (check_acl_restricted_all($config['id_user'], $filter['id_group'], 'AW')) {
+        $data[0] = html_print_checkbox_extended('delete_multiple[]', $filter['id_sg'], false, false, '', 'class="check_delete"', true);
+        $data[1] = '<a href="'.$config['homeurl'].'index.php?sec=netf&sec2=godmode/netflow/nf_edit_form&id='.$filter['id_sg'].'&pure='.$pure.'">'.$filter['id_name'].'</a>';
+    } else {
+        $data[1] = $filter['id_name'];
+    }
+
+
    $data[2] = ui_print_group_icon($filter['id_group'], true, 'groups_small', '', !defined('METACONSOLE'));
-    $table->cellclass[][3] = 'action_buttons';
-    $data[3] = "<a onclick='if(confirm(\"".__('Are you sure?')."\")) return true; else return false;' 
-        href='".$config['homeurl'].'index.php?sec=netf&sec2=godmode/netflow/nf_edit&delete=1&id='.$filter['id_sg']."&offset=0&pure=$pure'>".html_print_image('images/cross.png', true, ['title' => __('Delete')]).'</a>';
+    $data[3] = '';
+
+    if (check_acl_restricted_all($config['id_user'], $filter['id_group'], 'AW')) {
+        $table->cellclass[][3] = 'action_buttons';
+        $data[3] = "<a onclick='if(confirm(\"".__('Are you sure?')."\")) return true; else return false;' 
+            href='".$config['homeurl'].'index.php?sec=netf&sec2=godmode/netflow/nf_edit&delete=1&id='.$filter['id_sg']."&offset=0&pure=$pure'>".html_print_image('images/cross.png', true, ['title' => __('Delete')]).'</a>';
+    }

    array_push($table->data, $data);
 }
--- a/pandora_console/godmode/reporting/graph_builder.main.php
+++ b/pandora_console/godmode/reporting/graph_builder.main.php
@ -132,12 +132,20 @@ $output .= '>';

 $own_info = get_user_info($config['id_user']);

+$return_all_group = true;
+
+if (users_can_manage_group_all('RW') === false
+    && users_can_manage_group_all('RM') === false
+) {
+    $return_all_group = false;
+}
+
 $output .= '<td><b>'.__('Group').'</b></td><td>';
 if (check_acl($config['id_user'], 0, 'RW')) {
    $output .= html_print_select_groups(
        $config['id_user'],
        'RW',
-        true,
+        $return_all_group,
        'graph_id_group',
        $id_group,
        '',
@ -149,7 +157,7 @@ if (check_acl($config['id_user'], 0, 'RW')) {
    $output .= html_print_select_groups(
        $config['id_user'],
        'RM',
-        true,
+        $return_all_group,
        'graph_id_group',
        $id_group,
        '',
--- a/pandora_console/godmode/reporting/graph_builder.php
+++ b/pandora_console/godmode/reporting/graph_builder.php
@ -83,6 +83,20 @@ $change_weight = (bool) get_parameter('change_weight', false);
 $change_label = (bool) get_parameter('change_label', false);
 $id_graph = (int) get_parameter('id', 0);

+if ($id_graph > 0) {
+    $graph_group = db_get_value('id_group', 'tgraph', 'id_graph', $id_graph);
+    if (!check_acl_restricted_all($config['id_user'], $graph_group, 'RW')
+        && !check_acl_restricted_all($config['id_user'], $graph_group, 'RM')
+    ) {
+        db_pandora_audit(
+            'ACL Violation',
+            'Trying to access graph builder'
+        );
+        include 'general/noaccess.php';
+        exit;
+    }
+}
+
 if ($id_graph !== 0) {
    $sql = "SELECT * FROM tgraph 
 	WHERE (private = 0 OR (private = 1 AND id_user = '".$config['id_user']."'))
--- a/pandora_console/godmode/reporting/graphs.php
+++ b/pandora_console/godmode/reporting/graphs.php
@ -88,7 +88,11 @@ ui_print_page_header(__('Reporting').' &raquo; '.__('Custom graphs'), 'images/ch

 // Delete module SQL code
 if ($delete_graph) {
-    if ($report_w || $report_m) {
+    $graph_group = db_get_value('id_group', 'tgraph', 'id_graph', $id);
+
+    if (check_acl_restricted_all($config['id_user'], $graph_group, 'RW')
+        || check_acl_restricted_all($config['id_user'], $graph_group, 'RM')
+    ) {
        $exist = db_get_value('id_graph', 'tgraph_source', 'id_graph', $id);
        if ($exist) {
            $result = db_process_sql_delete('tgraph_source', ['id_graph' => $id]);
@ -299,16 +303,17 @@ $table_aux = new stdClass();

                $data[4] = '';
                $table->cellclass[][4] = 'action_buttons';
-                if (($report_w || $report_m)) {
+                if (check_acl_restricted_all($config['id_user'], $graph['id_group'], 'RM')
+                    || check_acl_restricted_all($config['id_user'], $graph['id_group'], 'RW')
+                ) {
                    $data[4] = '<a href="index.php?sec=reporting&sec2=godmode/reporting/graph_builder&edit_graph=1&id='.$graph['id_graph'].'">'.html_print_image('images/config.png', true).'</a>';
                }

-                if ($report_m) {
+                $data[5] = '';
+                if (check_acl_restricted_all($config['id_user'], $graph['id_group'], 'RM')) {
                    $data[4] .= '<a href="index.php?sec=reporting&sec2=godmode/reporting/graphs&delete_graph=1&id='.$graph['id_graph'].'" onClick="if (!confirm(\''.__('Are you sure?').'\'))
                    return false;">'.html_print_image('images/cross.png', true, ['alt' => __('Delete'), 'title' => __('Delete')]).'</a>';
-                }

-                if ($report_m) {
                    $data[5] .= html_print_checkbox_extended('delete_multiple[]', $graph['id_graph'], false, false, '', 'class="check_delete" style="margin-left:2px;"', true);
                }

--- a/pandora_console/godmode/reporting/map_builder.php
+++ b/pandora_console/godmode/reporting/map_builder.php
@ -123,8 +123,8 @@ if ($delete_layout || $copy_layout) {

    // ACL for the visual console
    // $vconsole_read = check_acl ($config['id_user'], $group_id, "VR");
-    $vconsole_write = check_acl($config['id_user'], $group_id, 'VW');
-    $vconsole_manage = check_acl($config['id_user'], $group_id, 'VM');
+    $vconsole_write = check_acl_restricted_all($config['id_user'], $group_id, 'VW');
+    $vconsole_manage = check_acl_restricted_all($config['id_user'], $group_id, 'VM');

    if (!$vconsole_write && !$vconsole_manage) {
        db_pandora_audit(
@ -441,8 +441,10 @@ if (!$maps && !is_metaconsole()) {
        $data[1] = ui_print_group_icon($map['id_group'], true);
        $data[2] = db_get_sql('SELECT COUNT(*) FROM tlayout_data WHERE id_layout = '.$map['id']);

-        // Fix: IW was the old ACL for report editing, now is RW
-        if ($vconsoles_write || $vconsoles_manage) {
+        $vconsoles_write_action_btn = check_acl_restricted_all($config['id_user'], $map['id_group'], 'VW');
+        $vconsoles_manage_action_btn = check_acl_restricted_all($config['id_user'], $map['id_group'], 'VM');
+
+        if ($vconsoles_write_action_btn || $vconsoles_manage_action_btn) {
            if (!is_metaconsole()) {
                $table->cellclass[] = [
                    3 => 'action_buttons',
--- a/pandora_console/godmode/reporting/reporting_builder.main.php
+++ b/pandora_console/godmode/reporting/reporting_builder.main.php
@ -114,11 +114,17 @@ if (isset($write_groups[$idGroupReport]) === false && $idGroupReport) {
    $write_groups[$idGroupReport] = groups_get_name($idGroupReport);
 }

+$return_all_group = false;
+
+if (users_can_manage_group_all('RW') === true) {
+    $return_all_group = true;
+}
+
 $table->data['group'][1] = '<div class="w290px inline">';
 $table->data['group'][1] .= html_print_select_groups(
    $config['id_user'],
    'AR',
-    true,
+    $return_all_group,
    'id_group',
    $idGroupReport,
    '',
--- a/pandora_console/godmode/reporting/reporting_builder.php
+++ b/pandora_console/godmode/reporting/reporting_builder.php
@ -158,6 +158,26 @@ $pure = get_parameter('pure', 0);
 $schedule_report = get_parameter('schbutton', '');
 $pagination = (int) get_parameter('pagination', $config['block_size']);

+if ($action == 'edit' && $idReport > 0) {
+    $report_group = db_get_value(
+        'id_group',
+        'treport',
+        'id_report',
+        $idReport
+    );
+
+    if (! check_acl_restricted_all($config['id_user'], $report_group, 'RW')
+        && ! check_acl_restricted_all($config['id_user'], $report_group, 'RM')
+    ) {
+        db_pandora_audit(
+            'ACL Violation',
+            'Trying to access report builder'
+        );
+        include 'general/noaccess.php';
+        exit;
+    }
+}
+
 if ($schedule_report != '') {
    $id_user_task = 1;
    $scheduled = 'no';
@ -909,8 +929,8 @@ switch ($action) {

                $data = [];

-                if (check_acl($config['id_user'], $report['id_group'], 'RW')
-                    || check_acl($config['id_user'], $report['id_group'], 'RM')
+                if (check_acl_restricted_all($config['id_user'], $report['id_group'], 'RW')
+                    || check_acl_restricted_all($config['id_user'], $report['id_group'], 'RM')
                ) {
                    $data[0] = '<a href="'.$config['homeurl'].'index.php?sec=reporting&sec2=godmode/reporting/reporting_builder&action=edit&id_report='.$report['id_report'].'&pure='.$pure.'">'.ui_print_truncate_text($report['name'], 70).'</a>';
                } else {
@ -994,7 +1014,7 @@ switch ($action) {

                switch ($type_access_selected) {
                    case 'group_view':
-                        $edit = check_acl(
+                        $edit = check_acl_restricted_all(
                            $config['id_user'],
                            $report['id_group'],
                            'RW'
@ -1005,7 +1025,7 @@ switch ($action) {
                    break;

                    case 'group_edit':
-                        $edit = check_acl(
+                        $edit = check_acl_restricted_all(
                            $config['id_user'],
                            $report['id_group_edit'],
                            'RW'
--- a/pandora_console/godmode/reporting/visual_console_builder.data.php
+++ b/pandora_console/godmode/reporting/visual_console_builder.data.php
@ -133,13 +133,18 @@ if ($action == 'new') {
 	src="">';
 }

-$table->data[1][0] = __('Group:');
+$table->data[1][0] = __('Group');

+$return_all_group = false;
+
+if (users_can_manage_group_all('RW') === true) {
+    $return_all_group = true;
+}

 $table->data[1][1] = '<div class="w250px">'.html_print_select_groups(
    $config['id_user'],
    'RW',
-    true,
+    $return_all_group,
    'id_group',
    $idGroup,
    '',
--- a/pandora_console/godmode/reporting/visual_console_builder.php
+++ b/pandora_console/godmode/reporting/visual_console_builder.php
@ -85,8 +85,8 @@ else if ($activeTab != 'data' || ($activeTab == 'data' && $action != 'new')) {

    // ACL for the existing visual console
    // $vconsole_read = check_acl ($config['id_user'], $visualConsole['id_group'], "VR");
-    $vconsole_write = check_acl($config['id_user'], $visualConsole['id_group'], 'VW');
-    $vconsole_manage = check_acl($config['id_user'], $visualConsole['id_group'], 'VM');
+    $vconsole_write = check_acl_restricted_all($config['id_user'], $visualConsole['id_group'], 'VW');
+    $vconsole_manage = check_acl_restricted_all($config['id_user'], $visualConsole['id_group'], 'VM');
 } else {
    db_pandora_audit(
        'ACL Violation',
@ -143,8 +143,8 @@ switch ($activeTab) {

                // ACL for the new visual console
                // $vconsole_read_new = check_acl ($config['id_user'], $idGroup, "VR");
-                $vconsole_write_new = check_acl($config['id_user'], $idGroup, 'VW');
-                $vconsole_manage_new = check_acl($config['id_user'], $idGroup, 'VM');
+                $vconsole_write_new = check_acl_restricted_all($config['id_user'], $idGroup, 'VW');
+                $vconsole_manage_new = check_acl_restricted_all($config['id_user'], $idGroup, 'VM');

                // The user should have permissions on the new group
                if (!$vconsole_write_new && !$vconsole_manage_new) {
--- a/pandora_console/godmode/snmpconsole/snmp_alert.php
+++ b/pandora_console/godmode/snmpconsole/snmp_alert.php
@ -494,6 +494,15 @@ if ($update_alert || $duplicate_alert) {
    $position = $alert['position'];
    $disable_event = $alert['disable_event'];
    $group = $alert['id_group'];
+
+    if (!check_acl_restricted_all($config['id_user'], $group, 'LW')) {
+        db_pandora_audit(
+            'ACL Violation',
+            'Trying to access SNMP Alert Management'
+        );
+        include 'general/noaccess.php';
+        return;
+    }
 } else if ($create_alert) {
    // Variable init
    $id_as = -1;
@ -814,13 +823,19 @@ if ($create_alert || $update_alert) {
    html_print_input_text('source_ip', $source_ip, '', 20);
    echo '</td></tr>';

+    $return_all_group = false;
+
+    if (users_can_manage_group_all('LW') === true) {
+        $return_all_group = true;
+    }
+
    // Group
    echo '<tr id="tr-group"><td class="datos2">'.__('Group').'</td><td class="datos2">';
    echo '<div class="w250px">';
    html_print_select_groups(
        $config['id_user'],
        'AR',
-        true,
+        $return_all_group,
        'group',
        $group,
        '',
@ -1346,10 +1361,17 @@ if ($create_alert || $update_alert) {
        $url = 'index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'id_alert_snmp='.$row['id_as'].'&'.'update_alert=1';
        $data[1] = '<table>';
        $data[1] .= '<tr>';
-        $data[1] .= '<a href="'.$url.'">'.alerts_get_alert_action_name($row['id_alert']).'</a>';
+
+        if (check_acl_restricted_all($config['id_user'], $row['id_group'], 'LW')) {
+            $data[1] .= '<a href="'.$url.'">'.alerts_get_alert_action_name($row['id_alert']).'</a>';
+        } else {
+            $data[1] .= alerts_get_alert_action_name($row['id_alert']);
+        }
+
        $other_actions = db_get_all_rows_filter('talert_snmp_action', ['id_alert_snmp' => $row['id_as']]);
        $data[1] .= '</tr>';

+
        if ($other_actions != false) {
            foreach ($other_actions as $action) {
                $data[1] .= '<tr>';
@ -1361,6 +1383,7 @@ if ($create_alert || $update_alert) {

        $data[1] .= '</table>';

+
        $data[2] = $row['agent'];
        $data[3] = $row['oid'];
        $data[4] = $row['custom_oid'];
@ -1373,18 +1396,23 @@ if ($create_alert || $update_alert) {
            $data[7] = __('Never');
        }

-        $data[8] = '<a href="index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'duplicate_alert=1&'.'id_alert_snmp='.$row['id_as'].'">'.html_print_image('images/copy.png', true, ['alt' => __('Duplicate'), 'title' => __('Duplicate')]).'</a>'.'<a href="index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'update_alert=1&'.'id_alert_snmp='.$row['id_as'].'">'.html_print_image('images/config.png', true, ['border' => '0', 'alt' => __('Update')]).'</a>'.'<a href="javascript:show_add_action_snmp(\''.$row['id_as'].'\');">'.html_print_image('images/add.png', true, ['title' => __('Add action')]).'</a>'.'<a href="index.php?sec=snmpconsole&sec2=godmode/snmpconsole/snmp_alert&delete_alert='.$row['id_as'].'" onClick="javascript:return confirm(\''.__('Are you sure?').'\')">'.html_print_image('images/cross.png', true, ['border' => '0', 'alt' => __('Delete')]).'</a>';
+        if (check_acl_restricted_all($config['id_user'], $row['id_group'], 'LW')) {
+                $data[8] = '<a href="index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'duplicate_alert=1&'.'id_alert_snmp='.$row['id_as'].'">'.html_print_image('images/copy.png', true, ['alt' => __('Duplicate'), 'title' => __('Duplicate')]).'</a>'.'<a href="index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'update_alert=1&'.'id_alert_snmp='.$row['id_as'].'">'.html_print_image('images/config.png', true, ['border' => '0', 'alt' => __('Update')]).'</a>'.'<a href="javascript:show_add_action_snmp(\''.$row['id_as'].'\');">'.html_print_image('images/add.png', true, ['title' => __('Add action')]).'</a>'.'<a href="index.php?sec=snmpconsole&sec2=godmode/snmpconsole/snmp_alert&delete_alert='.$row['id_as'].'" onClick="javascript:return confirm(\''.__('Are you sure?').'\')">'.html_print_image('images/cross.png', true, ['border' => '0', 'alt' => __('Delete')]).'</a>';


-        $data[9] = html_print_checkbox_extended(
-            'delete_ids[]',
-            $row['id_as'],
-            false,
-            false,
-            false,
-            'class="chk_delete"',
-            true
-        );
+                $data[9] = html_print_checkbox_extended(
+                    'delete_ids[]',
+                    $row['id_as'],
+                    false,
+                    false,
+                    false,
+                    'class="chk_delete"',
+                    true
+                );
+        } else {
+            $data[8] = '';
+            $data[9] = '';
+        }

        $idx = count($table->data);
        // The current index of the table is 1 less than the count of table data so we count before adding to table->data
--- a/pandora_console/include/class/CredentialStore.class.php
+++ b/pandora_console/include/class/CredentialStore.class.php
@ -351,7 +351,21 @@ class CredentialStore extends Wizard
            return db_get_value_sql($sql);
        }

-        return db_get_all_rows_sql($sql);
+        $return = db_get_all_rows_sql($sql);
+
+        // Filter out those items of group all that cannot be edited by user.
+        $return = array_filter(
+            $return,
+            function ($item) {
+                if ($item['id_group'] == 0 && users_can_manage_group_all('AR') === false) {
+                    return false;
+                } else {
+                    return true;
+                }
+            }
+        );
+
+        return $return;
    }


@ -857,6 +871,12 @@ class CredentialStore extends Wizard
            $values = [];
        }

+        $return_all_group = false;
+
+        if (users_can_manage_group_all('AR') === true) {
+            $return_all_group = true;
+        }
+
        $form = [
            'action'   => '#',
            'id'       => 'modal_form',
@ -886,7 +906,7 @@ class CredentialStore extends Wizard
                'id'             => 'id_group',
                'input_class'    => 'flex-row',
                'type'           => 'select_groups',
-                'returnAllGroup' => true,
+                'returnAllGroup' => $return_all_group,
                'selected'       => $values['id_group'],
                'return'         => true,
                'class'          => 'w50p',
@ -1045,6 +1065,7 @@ class CredentialStore extends Wizard
        * Process datatable item before draw it.
        */
        function process_datatables_item(item) {
+
            id = item.identifier;

            idrow = '<b><a href="javascript:" onclick="show_form(\'';
--- a/pandora_console/include/functions.php
+++ b/pandora_console/include/functions.php
@ -2363,6 +2363,71 @@ function check_acl_one_of_groups($id_user, $groups, $access, $cache=true)
 }


+/**
+ * Check access privileges to resources (write or management is not allowed for 'all' group )
+ *
+ * Access can be:
+ * IR - Incident/report Read
+ * IW - Incident/report Write
+ * IM - Incident/report Management
+ * AR - Agent Read
+ * AW - Agent Write
+ * LW - Alert Write
+ * UM - User Management
+ * DM - DB Management
+ * LM - Alert Management
+ * PM - Pandora Management
+ *
+ * @param integer $id_user      User id
+ * @param integer $id_group     Agents group id to check from
+ * @param string  $access       Access privilege
+ * @param boolean $onlyOneGroup Flag to check acl for specified group only (not to roots up, or check acl for 'All' group when $id_group is 0).
+ *
+ * @return boolean 1 if the user has privileges, 0 if not.
+ */
+function check_acl_restricted_all($id_user, $id_group, $access, $onlyOneGroup=false)
+{
+    if (empty($id_user)) {
+        // User ID needs to be specified
+        trigger_error('Security error: check_acl got an empty string for user id', E_USER_WARNING);
+        return 0;
+    } else if (is_user_admin($id_user)) {
+        return 1;
+    } else {
+        $id_group = (int) $id_group;
+    }
+
+    $access_string = get_acl_column($access);
+
+    if ($id_group != 0 || $onlyOneGroup === true) {
+        $groups_list_acl = users_get_groups($id_user, $access, false, true, null);
+    } else {
+        $groups_list_acl = get_users_acl($id_user);
+
+        // Only allow view ACL tokens in case user cannot manage group all.
+        if (users_can_manage_group_all($access) === false) {
+            if (preg_match('/_view/i', $access_string) == 0) {
+                return 0;
+            }
+        }
+    }
+
+    if (is_array($groups_list_acl)) {
+        if (isset($groups_list_acl[$id_group])) {
+            if (isset($groups_list_acl[$id_group][$access_string])
+                && $groups_list_acl[$id_group][$access_string] > 0
+            ) {
+                return 1;
+            } else {
+                return 0;
+            }
+        }
+    }
+
+    return 0;
+}
+
+
 /**
 * Get the name of the database column of one access flag
 *
--- a/pandora_console/include/functions_events.php
+++ b/pandora_console/include/functions_events.php
@ -3284,7 +3284,7 @@ function events_get_status($status_id)
 *
 * @return boolean True if the user has permissions or false otherwise.
 */
-function events_check_event_filter_group($id_filter)
+function events_check_event_filter_group($id_filter, $restrict_all_group=false)
 {
    global $config;

@ -3295,7 +3295,11 @@ function events_check_event_filter_group($id_filter)

    // Permissions in any group allow to edit "All group" filters.
    if ($id_group == 0 && !empty($groups_user)) {
-        return true;
+        if ($restrict_all_group === true) {
+            return false;
+        } else {
+            return true;
+        }
    }

    $groups_id = [];
--- a/pandora_console/include/functions_users.php
+++ b/pandora_console/include/functions_users.php
@ -123,12 +123,17 @@ function users_get_groups_for_select(
    $returnAllColumns=false,
    $id_groups=null,
    $keys_field='id_grupo',
-    $ajax_format=false
+    $ajax_format=false,
+    $check_user_can_manage_all=false
 ) {
    if ($id_groups === false) {
        $id_groups = null;
    }

+    if ($check_user_can_manage_all === true && users_can_manage_group_all($privilege) === false) {
+        $returnAllGroup = false;
+    }
+
    $user_groups = users_get_groups(
        $id_user,
        $privilege,
--- a/pandora_console/include/lib/Dashboard/Manager.php
+++ b/pandora_console/include/lib/Dashboard/Manager.php
@ -1008,6 +1008,7 @@ class Manager
                    'dashboardName'  => $this->dashboardFields['name'],
                    'hash'           => self::generatePublicHash(),
                    'publicLink'     => $this->publicLink,
+                    'dashboardGroup' => $this->dashboardFields['id_group'],
                ]
            );
        } else {
@ -1025,6 +1026,7 @@ class Manager
                    'cells'          => $this->cells,
                    'cellModeSlides' => $this->cellModeSlides,
                    'cellId'         => ($this->cellId === 0) ? $this->cells[0]['id'] : $this->cellId,
+                    'dashboardGroup' => $this->dashboardFields['id_group'],
                ]
            );
        }
--- a/pandora_console/operation/agentes/pandora_networkmap.editor.php
+++ b/pandora_console/operation/agentes/pandora_networkmap.editor.php
@ -80,9 +80,15 @@ if ($edit_networkmap) {
    } else {
        $id_group = $values['id_group'];

+        $id_group_acl_check = $id_group_map;
+
+        if ($id_group_map === null) {
+            $id_group_acl_check = $values['id_group_map'];
+        }
+
        // ACL for the network map.
-        $networkmap_write = check_acl($config['id_user'], $id_group_map, 'MW');
-        $networkmap_manage = check_acl($config['id_user'], $id_group_map, 'MM');
+        $networkmap_write = check_acl_restricted_all($config['id_user'], $id_group_acl_check, 'MW');
+        $networkmap_manage = check_acl_restricted_all($config['id_user'], $id_group_acl_check, 'MM');

        if (!$networkmap_write && !$networkmap_manage) {
            db_pandora_audit(
@ -265,6 +271,12 @@ if ($not_found) {
        true
    );

+    $return_all_group = false;
+
+    if (users_can_manage_group_all('AR') === true) {
+        $return_all_group = true;
+    }
+
    $table->data[1][0] = __('Group');
    $table->data[1][1] = '<div class="w250px">'.html_print_select_groups(
        // Id_user.
@ -272,7 +284,7 @@ if ($not_found) {
        // Privilege.
        'AR',
        // ReturnAllGroup.
-        true,
+        $return_all_group,
        // Name.
        'id_group_map',
        // Selected.
--- a/pandora_console/operation/agentes/pandora_networkmap.php
+++ b/pandora_console/operation/agentes/pandora_networkmap.php
@ -57,8 +57,8 @@ if (enterprise_installed()) {

        // ACL for the network map.
        // $networkmap_read = check_acl ($config['id_user'], $id_group, "MR");
-        $networkmap_write = check_acl($config['id_user'], $id_group_map, 'MW');
-        $networkmap_manage = check_acl($config['id_user'], $id_group_map, 'MM');
+        $networkmap_write = check_acl_restricted_all($config['id_user'], $id_group_map, 'MW');
+        $networkmap_manage = check_acl_restricted_all($config['id_user'], $id_group_map, 'MM');

        if (!$networkmap_write && !$networkmap_manage) {
            db_pandora_audit(
@ -145,8 +145,8 @@ if (enterprise_installed()) {


        // ACL for the new network map
-        $networkmap_write_new = check_acl($config['id_user'], $id_group_map, 'MW');
-        $networkmap_manage_new = check_acl($config['id_user'], $id_group_map, 'MM');
+        $networkmap_write_new = check_acl_restricted_all($config['id_user'], $id_group_map, 'MW');
+        $networkmap_manage_new = check_acl_restricted_all($config['id_user'], $id_group_map, 'MM');

        if (!$networkmap_write && !$networkmap_manage) {
            db_pandora_audit(
@ -230,8 +230,8 @@ if ($new_networkmap || $save_networkmap) {

        // ACL for the network map
        // $networkmap_read = check_acl ($config['id_user'], $id_group, "MR");
-        $networkmap_write = check_acl($config['id_user'], $id_group_map, 'MW');
-        $networkmap_manage = check_acl($config['id_user'], $id_group_map, 'MM');
+        $networkmap_write = check_acl_restricted_all($config['id_user'], $id_group_map, 'MW');
+        $networkmap_manage = check_acl_restricted_all($config['id_user'], $id_group_map, 'MM');

        if (!$networkmap_write && !$networkmap_manage) {
            db_pandora_audit(
@ -420,8 +420,8 @@ else if ($update_networkmap || $copy_networkmap || $delete) {
        return;
    }

-    $networkmap_write = check_acl($config['id_user'], $id_group_map_old, 'MW');
-    $networkmap_manage = check_acl($config['id_user'], $id_group_map_old, 'MM');
+    $networkmap_write = check_acl_restricted_all($config['id_user'], $id_group_map_old, 'MW');
+    $networkmap_manage = check_acl_restricted_all($config['id_user'], $id_group_map_old, 'MM');

    if (!$networkmap_write && !$networkmap_manage) {
        db_pandora_audit(
@ -440,8 +440,8 @@ else if ($update_networkmap || $copy_networkmap || $delete) {

        // ACL for the new network map
        $id_group_map = (int) get_parameter('id_group_map', 0);
-        $networkmap_write_new = check_acl($config['id_user'], $id_group_map, 'MW');
-        $networkmap_manage_new = check_acl($config['id_user'], $id_group_map, 'MM');
+        $networkmap_write_new = check_acl_restricted_all($config['id_user'], $id_group_map, 'MW');
+        $networkmap_manage_new = check_acl_restricted_all($config['id_user'], $id_group_map, 'MM');

        if (!$networkmap_write && !$networkmap_manage) {
            db_pandora_audit(
@ -727,9 +727,9 @@ switch ($tab) {

            foreach ($network_maps as $network_map) {
                // ACL for the network map
-                $networkmap_read = check_acl($config['id_user'], $network_map['id_group_map'], 'MR');
-                $networkmap_write = check_acl($config['id_user'], $network_map['id_group_map'], 'MW');
-                $networkmap_manage = check_acl($config['id_user'], $network_map['id_group_map'], 'MM');
+                $networkmap_read = check_acl_restricted_all($config['id_user'], $network_map['id_group_map'], 'MR');
+                $networkmap_write = check_acl_restricted_all($config['id_user'], $network_map['id_group_map'], 'MW');
+                $networkmap_manage = check_acl_restricted_all($config['id_user'], $network_map['id_group_map'], 'MM');

                if (!$networkmap_read && !$networkmap_write && !$networkmap_manage) {
                    db_pandora_audit(
@ -785,6 +785,10 @@ switch ($tab) {

                $data['groups'] = ui_print_group_icon($network_map['id_group_map'], true);

+                $data['copy'] = '';
+                $data['edit'] = '';
+                $data['delete'] = '';
+
                if ($networkmap_write || $networkmap_manage) {
                    $table->cellclass[] = [
                        'copy'   => 'action_buttons',
--- a/pandora_console/operation/gis_maps/gis_map.php
+++ b/pandora_console/operation/gis_maps/gis_map.php
@ -170,8 +170,13 @@ if ($maps !== false) {
        $data['name'] = '<a href="index.php?sec=gismaps&amp;sec2=operation/gis_maps/render_view&amp;map_id='.$map['id_tgis_map'].'">'.$map['map_name'].'</a> ';
        $data['group'] = ui_print_group_icon($map['group_id'], true);

-        if ($edit_gis_maps) {
-            if ($display_default_column) {
+        $data['default'] = '';
+        $data['op'] = '';
+
+        if (check_acl_restricted_all($config['id_user'], $map['group_id'], 'MW')
+            || check_acl_restricted_all($config['id_user'], $map['group_id'], 'MM')
+        ) {
+            if (check_acl_restricted_all($config['id_user'], 0, 'MM')) {
                $checked = false;
                if ($map['default_map']) {
                    $checked = true;
--- a/pandora_console/operation/gis_maps/render_view.php
+++ b/pandora_console/operation/gis_maps/render_view.php
@ -114,8 +114,8 @@ $controls = [
 $layers = gis_get_layers($idMap);

 // Render map
-$has_management_acl = check_acl($config['id_user'], $map['group_id'], 'MW')
-    || check_acl($config['id_user'], $map['group_id'], 'MM');
+$has_management_acl = check_acl_restricted_all($config['id_user'], $map['group_id'], 'MW')
+    || check_acl_restricted_all($config['id_user'], $map['group_id'], 'MM');

 $buttons = [];

--- a/pandora_console/operation/reporting/graph_viewer.php
+++ b/pandora_console/operation/reporting/graph_viewer.php
@ -145,7 +145,9 @@ if ($view_graph) {

    $options = [];

-    if (check_acl($config['id_user'], 0, 'RW')) {
+    if (check_acl_restricted_all($config['id_user'], $graph['id_group'], 'RW')
+        || check_acl_restricted_all($config['id_user'], $graph['id_group'], 'RM')
+    ) {
        $options = [
            'graph_list'   => [
                'active' => false,
@ -160,6 +162,13 @@ if ($view_graph) {
                'text'   => '<a href="index.php?sec=reporting&sec2=godmode/reporting/graph_builder&tab=graph_editor&edit_graph=1&id='.$id_graph.'">'.html_print_image('images/builder.png', true, ['title' => __('Graph editor')]).'</a>',
            ],
        ];
+    } else {
+        $options = [
+            'graph_list' => [
+                'active' => false,
+                'text'   => '<a href="index.php?sec=reporting&sec2=godmode/reporting/graphs">'.html_print_image('images/list.png', true, ['title' => __('Graph list')]).'</a>',
+            ],
+        ];
    }

    $options['view']['text'] = '<a href="index.php?sec=reporting&sec2=operation/reporting/graph_viewer&view_graph=1&id='.$id_graph.'">'.html_print_image(
@ -275,7 +284,7 @@ if ($view_graph) {
    echo '</td>';

    echo "<td class='datos'>";
-    echo "<div style='float:left' id='thresholdDiv' name='thresholdDiv'>&nbsp;&nbsp;<b>".__('Equalize maximum thresholds').'</b>'.ui_print_help_tip(__('If an option is selected, all graphs will have the highest value from all modules included in the graph as a maximum threshold'), true);
+    echo "<div style='float:left' id='thresholdDiv' name='thresholdDiv'>&nbsp;&nbsp;<b>".__('Equalize maxiddmum thresholds').'</b>'.ui_print_help_tip(__('If an option is selected, all graphs will have the highest value from all modules included in the graph as a maximum threshold'), true);

    html_print_checkbox('threshold', CUSTOM_GRAPH_BULLET_CHART_THRESHOLD, $check, false, false, '', false);
    echo '</div>';
--- a/pandora_console/operation/reporting/reporting_viewer.php
+++ b/pandora_console/operation/reporting/reporting_viewer.php
@ -80,7 +80,16 @@ $options['list_reports'] = [
    ).'</a>',
 ];

-if (check_acl($config['id_user'], 0, 'RW')) {
+if ($id_report > 0) {
+    $report_group = db_get_value(
+        'id_group',
+        'treport',
+        'id_report',
+        $id_report
+    );
+}
+
+if (check_acl_restricted_all($config['id_user'], $report_group, 'RW')) {
    $options['main']['text'] = '<a href="index.php?sec=reporting&sec2=godmode/reporting/reporting_builder&tab=main&action=edit&id_report='.$id_report.'&pure='.$pure.'">'.html_print_image(
        'images/op_reporting.png',
        true,
--- a/pandora_console/operation/visual_console/legacy_view.php
+++ b/pandora_console/operation/visual_console/legacy_view.php
@ -97,9 +97,9 @@ $bheight = $layout['height'];
 $pure_url = '&pure='.$config['pure'];

 // ACL
-$vconsole_read = check_acl($config['id_user'], $id_group, 'VR');
-$vconsole_write = check_acl($config['id_user'], $id_group, 'VW');
-$vconsole_manage = check_acl($config['id_user'], $id_group, 'VM');
+$vconsole_read = check_acl_restricted_all($config['id_user'], $id_group, 'VR');
+$vconsole_write = check_acl_restricted_all($config['id_user'], $id_group, 'VW');
+$vconsole_manage = check_acl_restricted_all($config['id_user'], $id_group, 'VM');

 if (! $vconsole_read && !$vconsole_write && !$vconsole_manage) {
    db_pandora_audit(
--- a/pandora_console/operation/visual_console/view.php
+++ b/pandora_console/operation/visual_console/view.php
@ -95,9 +95,9 @@ $groupId = $visualConsoleData['groupId'];
 $visualConsoleName = $visualConsoleData['name'];

 // ACL.
-$aclRead = check_acl($config['id_user'], $groupId, 'VR');
-$aclWrite = check_acl($config['id_user'], $groupId, 'VW');
-$aclManage = check_acl($config['id_user'], $groupId, 'VM');
+$aclRead = check_acl_restricted_all($config['id_user'], $groupId, 'VR');
+$aclWrite = check_acl_restricted_all($config['id_user'], $groupId, 'VW');
+$aclManage = check_acl_restricted_all($config['id_user'], $groupId, 'VM');

 if (!$aclRead && !$aclWrite && !$aclManage) {
    db_pandora_audit(
@ -300,7 +300,11 @@ if ($pure === false) {
            );
        echo '</div>';
        echo '</div>';
-        echo html_print_checkbox_switch('edit-mode', 1, false, true);
+
+        if ($aclWrite || $aclManage) {
+            echo html_print_checkbox_switch('edit-mode', 1, false, true);
+        }
+
        echo '</div>';
    }
 }
--- a/pandora_console/views/dashboard/formDashboard.php
+++ b/pandora_console/views/dashboard/formDashboard.php
@ -43,6 +43,12 @@ if (empty($arrayDashboard) === true) {
    }
 }

+$return_all_group = false;
+
+if (users_can_manage_group_all('RW') === true) {
+    $return_all_group = true;
+}
+
 $dataQuery = ['dashboardId' => $dashboardId];

 $url = ui_get_full_url(
@ -100,11 +106,12 @@ $inputs = [
            [
                'label'     => __('Group'),
                'arguments' => [
-                    'name'     => 'id_group',
-                    'id'       => 'id_group',
-                    'type'     => 'select_groups',
-                    'selected' => $arrayDashboard['id_group'],
-                    'return'   => true,
+                    'name'           => 'id_group',
+                    'id'             => 'id_group',
+                    'type'           => 'select_groups',
+                    'returnAllGroup' => $return_all_group,
+                    'selected'       => $arrayDashboard['id_group'],
+                    'return'         => true,
                ],
            ],
        ],
--- a/pandora_console/views/dashboard/header.php
+++ b/pandora_console/views/dashboard/header.php
@ -194,7 +194,7 @@ if ($config['public_dashboard'] === true) {
        'combo_refresh_countdown'     => $comboRefreshCountdown,
    ];
 } else if ($config['pure']) {
-    if (check_acl($config['id_user'], 0, 'RW') === 0) {
+    if (check_acl_restricted_all($config['id_user'], $dashboardGroup, 'RW') === 0) {
        $buttons = [
            'back_to_dashboard_list'      => $back_to_dashboard_list,
            'normalscreen'                => $normalscreen,
@ -221,7 +221,7 @@ if ($config['public_dashboard'] === true) {
        }
    }
 } else {
-    if (check_acl($config['id_user'], 0, 'RW') === 0) {
+    if (check_acl_restricted_all($config['id_user'], $dashboardGroup, 'RW') === 0) {
        $buttons = [
            'back_to_dashboard_list' => $back_to_dashboard_list,
            'fullscreen'             => $fullscreen,
--- a/pandora_console/views/dashboard/list.php
+++ b/pandora_console/views/dashboard/list.php
@ -155,6 +155,11 @@ if (empty($dashboards) === true) {
        $data['full_screen'] .= '</a>';

        if ($manageDashboards === 1) {
+            $data['copy'] = '';
+            $data['delete'] = '';
+        }
+
+        if (check_acl_restricted_all($config['id_user'], $dashboard['id_group'], 'RM')) {
            $dataQueryCopy = [
                'dashboardId'   => $dashboard['id'],
                'copyDashboard' => 1,